DHCP Snooping

Overview

DHCP Dynamic Host Configuration Protocol snooping is a series of techniques applied to ensure the security of an existing DHCP infrastructure. It is a security feature that acts like a fire wall between untrusted hosts and trusted DHCP servers. It is a layer-2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable.

The fundamental use case of DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in 'man-in the middle' or 'Denial of Service' attacks from malicious purpose. Similarly DHCP clients (rogue) can also cause 'Denial of Service' attacks by continuously requesting for IP addresses causing address depletion in the DHCP server.

The DHCP snooping feature performs the following activities:

Validates DHCP messages received from un-trusted sources and filters out invalid messages.
Rate-limits DHCP traffic from trusted and un-trusted sources.
Builds and maintains the DHCP snooping binding database, which contains information about un-trusted hosts with leased IP addresses.
Utilizes the DHCP snooping binding database to validate subsequent requests from un-trusted hosts.
To retain the DHCP snooping bindings database across reloads, it is stored in a persistent file on switch itself. Upon reload, the switch restores binding database from the persistent file. On NTP sync, the lease time of the binding entries gets re-adjusted based on the timestamp that was written in the persistent file. The switch keeps the file updated by writing to the file periodically (default interval 300 seconds). Note: To ensure the accuracy of lease time adjustment, NTP should be configured on the snooper.
When DHCP snooping is used over MLAG, the DHCP snooping binding database syncing will be happening among the peers via IDL.

DHCP snooping with provider bridge is not supported.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.

Topology

Figure 73. DHCP Snooping topology

Configuration

When configuring DHCP snooping, follow these guidelines:

DHCP snooping is not active until you enable the feature on at least one VLAN, and enable DHCP snooping globally on the switch.
Before globally enabling DHCP snooping on the switch, make sure that the device acting as the DHCP server is configured and enabled.
If a Layer 2 LAN port is connected to a DHCP server, configure the port as trusted by entering the ip dhcp snooping trust interface configuration command.
If a Layer 2 LAN port is connected to a DHCP client A DHCP client is a hardware device or software that uses DHCP to get the network configuration information from a DHCP Server. VRF: VRF creates a logically isolated routing table within a single physical network device. Each VRF instance works as an independent routing instance that enables separate network traffic, maintains different routing tables, and provides network isolation., configure the port as un-trusted by entering the no ip dhcp snooping trust interface configuration command.

Procedures

The following subsections provide examples of how to enable and configure DHCP Snooping.

Enable DHCP Snooping Globally

#configure terminal	Enter Configure mode.
(config)#bridge 1 protocol mstp	Create MSTP or IEEE VLAN-bridge.
(config)#ip dhcp snooping bridge 1	Enable DHCP Snooping on the bridge
(config)#commit	Commit Candidate config to running-config

Enable DHCP Snooping on a VLAN

#configure terminal	Enter Configure mode.
(config)#vlan 2 bridge 1	Configure a VLAN for the bridge.
(config)#ip dhcp snooping vlan 2 bridge 1	Enable DHCP Snooping on the VLAN 2
(config)#commit	Commit Candidate config to running-config

Validation

Copy

OcNOS#show hardware-profile filters
 
Note: Shared count is the calculated number from available resources.
      Dedicated count provides allocated resource to the group.
      If group shares the dedicated resource with other groups, then dedicated
      count of group will reduce with every resource usage by other groups.
 
+--------------------+---------+---------------+----------------------------+
|                    | Free    |     Used      |       Total Entries        |
| Unit - TCAMS       | Entries |---------------|----------------------------|
|                    |         |  %  | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
0 DHCP-SNOOP           9717      0     5         9722    1018        8704
0 DHCP-SNOOP-IPV6      9717      0     6         9723    1019        8704